CMS Authentication and Authorization Process

As we have already seen, CMS processing involves several layers, as follows:

• Browser

• IIS and ISAPI filters

• Worker process (ASP.NET worker process aspnet_wp.exe in IIS 5/Windows 2000, or Web worker process w3wp.exe in IIS 6/Windows 2003)

• CMS Web application and Publishing API objects

• CMS content server and the Content Repository database

A diagram showing the logical architecture of CMS page processing is shown in Figure 19-1.

NOTE: For a detailed discussion of CMS page processing in different modes, refer to Chapter 11.

As a CMS request passes through multiple layers on the server side, it is authenticated and authorized. Authentication and authorization of a CMS request consists of multiple steps and involves several technologies; it makes use of IIS and ASP.NET security mechanisms. The logical sequence of steps involved in CMS authentication and authorization is shown in Figure 19-2.

A browser has a role to play as well. Within the CMS Web application, the authentication state information is stored in a CMS authentication cookie; if cookies are disabled or not supported in the browser, the CMS application may not function properly.

We will look into each layer, starting with reviewing IIS security because the CMS application may rely on IIS for initial authentication of the user. We will then concentrate on the ASP.NET settings for authentication, impersonation, and authorization, and how their use affects the CMS Web application. Then, we will focus on CMS user authentication and authorization, and discuss the configuration required for Windows authentication and forms-based authentication in the CMS Web application.